Previously: common sense one, bullshit documents zero (Jury verdict in a privacy case)

On the Monopoly Report podcast, Alan Chapell interviews Cindy Cohn, until recently the executive director of the EFF. Episode 78: Privacy’s Defender Cindy Cohn on Encryption, Surveillance, Privacy Rights, and the Future of Digital Freedom.

Listen to the whole thing. One part that I noticed is the discussion of private right of action in privacy laws.

Alan Chapell:

So you you mentioned the private right of action a moment ago and I come at this from a little bit more of a business community perspective. I look at what’s going on with the the California Information Privacy Act or even VPPA. And some of that just seems insane to me because you’re you’re not really helping consumers. You’re creating a whole bunch of challenges for the business community. And not to mention there are a set of rules in California had some some thoughts on how one could do a private right of action that was a little bit more sane.

Cindy Cohn:

I’m a litigator. I think that the courts are a good place to sort out some of these things if you give them the right tools to evaluate them. So, you know, I think simpler rules are easier. I am a huge fan of kind of basic ideas around privacy like no secondary uses of data. If you give information to my phone company because I want my phone to ring it can’t turn around and sell that location data on the open market without something that’s much much higher than a clickbox, right? The rule is not hard. there might be some edge cases but it’s pretty easy. Or I also like the fiduciary duty idea that that we create duties in the people who handle our data to to be loyal to us. Now, that could create a lot more gray spaces because what does loyalty look like and things like that, but we figured it out in negligence law. And in some of the other things, again, there might be a messy middle, but I’d rather see a messy middle than the world now where people lose all control of their data when they give it to the first entity and it becomes theirs to control.

The “challenges for the business community,” though, are not really because of the law, or the lawyers doing private right of action. Lawyers showing up is a symptom of an underlying problem: a mismatch between what’s considered normal in modern marketing and what’s considered acceptable by everyone else. Lawyers file the cases that are likely to win, so they have to think backward about how a jury would react. They’re not going to invest time in a case that wouldn’t fly with regular peole.

And we have known for a while that marketing privacy norms are different from those of regular people. Americans Reject Tailored Advertising and Three Activities That Enable It came out in 2009. And the research since then has been pretty consistent, too. Not consistent as in uniform, consistently diverse. People are different.

But marketing, according to a report from BBH Labs, has the highest “group cohesion score” of any occupation.

How can we possibly understand, represent and sell to an entire country when we exist in such a bubble? We like to style ourselves as free thinkers, mavericks and crazies, but the grim truth is that we’re a more insular profession than farming and boast more conformists than the military. We have become the followers of Brian, shouting “we are all individuals” in mindless unison. No wonder we’re so out of touch.

The people who run into the kind of “privacy compliance” problems that they need to ask Alan Chapell about are the inhabitants of a peculiar filter bubble where not only do words like “relevance” mean something different, all the norms about how people use information about each other are oversimplified and skewed in the same direction.

Hey, you know that Mark Zuckerberg dude who was chosen as “least trusted” in that one poll? Can you please set up some software to let him know what page of my medical device manual I’m reading? — Your customer, probably not

A company with privacy right of action problems doesn’t have a problem with lawyers, or even with laws. They might have a problem with compliance taxes imposed on regular companies by Big Tech, but the root cause is deeper. That company has a problem with juries. The same people who, in another context, are customers or potential customers.

To re-connect, try the interruption test.

How to do the interruption test

Nobody wants to deal with a privacy case that goes all the way to a jury, just to find out what people think about your data practices. That’s expensive. Fortunately, it’s easier to talk to the potential jurors up front. And it’s possible to spot the kinds of privacy issues that could turn into a whole case, way before lawyers do.

1. Get a group of regular people together. Customers and the kind of people you think would be likely customers. Call it a research panel, a focus group, whatever.

2. Explain how the company uses data and inferences for marketing. The explanation doesn’t have to be long, make it as if it were a short item for an audience of co-workers at a company all-hands meeting.

3. When someone interrupts and asks something like “how do I turn that off?” or “how do I delete my name?” those data practices failed the test.

If you get through explaining the whole thing, you’re probably good. Yes, a lawyer should give the privacy policy a thorough read, but the main thing is how to re-anchor the marketing profession’s data norms to be somewhere close to regular people’s.

More: the 30-40-30 rule

Bonus links

The Washington Post Loves Data Centers a Lot More Than Disclosing Jeff Bezos’s Financial Interest in Promoting Them by Paul Farhi. Similarly, the corporate web of connections is even more complicated than Post readers would ever learn from its editorial page. Amazon and OpenAI aren’t just competitors in the AI race; they’re partners under a multiyear, $138 billion investment by OpenAI into AWS’s cloud-computing infrastructure. I couldn’t find a single reference to this agreement in any of the paper’s supportive commentary.

What Was Matt Thinking? By Ernie Smith. Wright, and others like him, hit upon an obvious need. Regular people found these scripts, ran them, and suddenly had forums, counters, and contact forms. They got the job done. But programmers who weren’t in high school and weren’t so wet behind the ears looked aghast at what Wright had done: He had spread poorly designed, but widely used software across the internet.

In memory of the man who put red and green squiggles under words by Raymond Chen. Tony made the spell checker much more unobtrusive so that it didn’t interfere with your foreground work.

https://worksinprogress.co/issue/how-madrid-built-its-metro-cheaply/ by Ben Hopkinson. The winner of regional assembly elections has all of the levers of control over a project at their disposal. They can approve new projects, fund those projects by borrowing, and oversee the construction to deliver the project. Enterprising politicians at the regional level of government could claim that they are going to build metro extensions, and then have the power to build; in turn their political fortunes would be tied to successfully delivering the project.

While the big cheeses of online advertising are away at Cannes, France, we might as well be honest about something. Online advertising is a dirty business. Even people who disagree with that in general tend to be of the opinion that the ads are full of fraud and mysterious fees except for whatever piece of the ad stack that their particular company is watching right now. Example: What AI is about to expose about programmatic advertising from Matt Wasserlauf, CEO, Blockboard. (Will “AI” catch the fraud? Or just make more layers of complexity for fraud to hide in?)

One of the rackets that make up this whole mess is “consent.” The “consent” as managed by adtech’s “consent management” is not consent as we know it. In order to count for anything, consent has to be informed. And if I ordered pizzas to feed everyone in the world who understands web ads well enough to give informed consent to them, the driver would be able to bring all the pizzas from the car in one trip.

Unless the user is one of a small group of extreme adtech experts and privacy researchers, sites and adtech firms are just going through the motions of pretending to have consent. A whole sub-industry of the adtech business has built up around managing fake consent. That’s because under EU law you need some kind of “lawful basis for processing” for personal information, and so-called “legitimate interest” (LI) no longer works for personalized advertising. Even Meta, which has the lawyers to draft a ToS longer than the US Constitution, and a hiring revolving door for politicians, can’t get away with LI. Big Tech is too complicated, one-sided, and icky to get real consent, but because the fix is in in Ireland, everybody in the business can get away with the fake kind in Europe for now. (The USA is another story. Here, the standard for consent is what a jury will accept, and juries have more common sense than EU bureaucrats.)

So if fake consent is at best a show put on for crooked Irish politicians and bureaucrats, and at worst something that will just make a company look worse to a jury, why spend time on it? Doc Searls suggests replacing the fake consent stack entirely, in Digital Omnibus Article 88b needs to be about contract, not just consent.

For customers, the most obvious one is getting rid of cookie notices, which are annoying and not worth the pixels they are printed on.

Doc suggests replacing fake consent with real contracts as a basis for processing—which is doable. Contract formation between a web site and a visitor is an established thing, and it’s even possible to do it without JavaScript or extra software on the server. And, ignoring the ads, sites need to get people to be parties to the ToS anyway, to have a better chance of enforcing their “AI” training rights. And if sites can come up with a few standard contracts, the way the open source software business has settled on a few standard licences, then it’s feasible for a person to pick and understand a contract. It’s not like fake consent, where people have to pretend to understand tens or hundreds of “partners.” In principle, Doc is right and contract should be able to work better. In order to make the shift work, it’s necessary not only to make the contract, but also to remove the fake consent. Surveillance takes the most convenient lawful basis for processing, like electricity taking the easiest path to ground. If fake consent is available, companies won’t form a contract.

A folk privacy practice that works

The first, uninformed, answer to the fake consent problem, that a lot of people come up with, is: let’s just block the annoying “cookie banner.” And that works surprisingly well. No fake consent, now the site has a motivation to do a contract. And it turns out that the same software that blocks the “cookie banner” and prevents getting fake consent can also indicate that the user is willing to accept a contract. Some folk privacy practices are ineffective or out of date, but coming up with some way to “get this annoying banner out of my face” is a solid basis to build on.

But sites aren’t going to abandon their existing investment in fake consent unless they have to. Whatever people come up with to implement MyTerms is going to have to block fake consent too. The tinyMyTerms demo implementation of MyTerms uses an standard ad blocker, something that people need anyway and that most people in the USA already have.

Doc’s call to action is at the bottom of that blog post so check it out.

Bonus links

Montana’s SB535 and a Potential Biotech Renaissance in America by Alex Tabarrok. Montana’s regulatory system creates the possibility of a self-funding clinical pipeline: companies using early commercial revenues to finance the path to full FDA approval. You get treatments to patients faster, and you keep companies alive long enough to prove their treatments work.

Quartz countertops are driving a public health crisis in the US – 2 occupational health experts explain the surge of lung transplants and lawsuits by David Michaels and Robert Harrison. An estimated 100,000 workers are employed in countertop fabrication shops in the U.S., and studies suggest that 20% or more of exposed workers develop silicosis.

Mika Model by Paolo Bacigalupi. (Short story posted in 2016—IMHO it should make the rounds again since sycophantic AI is trending)

Who Needs GPS? The Forgotten Story of Etak’s Amazing 1985 Car Navigation System by Benj Edwards. (Another old one, but hey, Tests suggest Russian satellites can jam GPS on a continental scale, maybe time to reimplement?)

Something has been bugging me ever since I read Texas AG sues Meta over claims that WhatsApp doesn’t provide end-to-end encryption by Dan Goodin.

If WhatsApp really is end-to-end encrypted, why is Meta so popular with governments when other, less widely used, encrypted apps are getting hassled so much?

There’s a whole Apple–FBI encryption dispute article on Wikipedia. So where is the corresponding controversy for WhatsApp—which is supposedly just as encrypted?

How do all of these facts make sense at the same time?

• As far as external researchers can tell, WhatsApp has end-to-end encryption.

• WhatsApp has more than 3 billion users, more than any of the other encrypted messengers

• Meta remains politically well-connected and influential even in countries where politicians have strong positions against end-to-end encryption.

It’s like, if Tom Bombadil in The Lord of the Rings is both good and powerful, then why is his home forest so infested with evil creatures? Something doesn’t make sense here.

WhatsApp is the biggest mystery on the Internet, if you go by user count. It’s nearly universally used in many places where politicians and law enforcement have no affinity for end-to-end encryption. So where are all the “WhatsApp is enabling [bad people] by refusing access to messages about [significant event]” stories? If Meta was really offering unbreakable end-to-end to such a large user base—they claim more than three billion users—it seems to me that they would be catching hell. The sound of the dogs not barking here is starting to get to me. Maybe Meta lobbyists are so good at politics that they can somehow get governments to be fine with real end-to-end? But is anybody that good at politics?

A recent lawsuit claims that a Meta employee was able to see some WhatsApp message plaintext in an internal application. (More: US authorities reportedly investigate claims that Meta can read encrypted WhatsApp messages) That means one more inconvenient fact to explain. How does this work?

“A worker need only send a ‘task’ (i.e., request via Meta’s internal system) to a Meta engineer with an explanation that they need access to WhatsApp messages for their job,” the lawsuit claims. “The Meta engineering team will then grant access—often without any scrutiny at all—and the worker’s workstation will then have a new window or widget available that can pull up any WhatsApp user’s messages based on the user’s User ID number, which is unique to a user but identical across all Meta products.

And Adrian Găitan writes, in WhatsApp’s “End-to-End Encryption” Is the Biggest Lie in Tech History — And I Can Prove It Mathematically,

WhatsApp is the only major secure messaging app that provides law enforcement with near-real-time surveillance data. A pen register order — a legal instrument that captures the source and destination of communications — is fulfilled by WhatsApp every 15 minutes, automatically, in software. While you’re messaging someone, an agent with a pen register order receives a timestamped packet of metadata every quarter hour showing exactly who you’re communicating with. In near-real time.

Metadata access and the ability of governments to get access to devices and to cloud backups might explain a lot of how Meta can both offer end-to-end encryption and stay well-connected with governments. But those don’t provide all the access that governments want. (Did law enforcement agencies really do all the stuff in Dark Wire and then say, well, gosh, we caught so many people doing crimes with relatively little investment, and it worked hella well, let’s just not do it again?)

But maybe it’s possible for the mystery of WhatsApp to make sense. What if their cryptography code is really end to end, no tricks, but the random number generator is somehow gimmicked to limit the number of possible keys? Not to thousands of possible keys like the Debian OpenSSL bug—that would be too easy to spot—but to some set of possible keys that is both

• large enough to look legitimately random and avoid two people ever getting the same private key, and

• small enough to search using computing resources available to Meta?

Meta could gimmick the RNG as a build and release step, so that as few people as possible have to know. Most developers with access to the WhatsApp source code could be kept ignorant of it, like AT&T was able to limit access to Room 641A.

So for most purposes, for most people, WhatsApp can stay real end-to-end, but if there’s some user whose messages Meta really wants to read (on behalf of some government or just cuz whatevs) they can start a job on a cluster, get the necessary private key, and decrypt? And Meta keeps both security cred and political juice. These things don’t stay secret forever, but if there is an RNG flaw, when it comes out it’s just another oops-a-bug-our-bad-please-update story, and those scroll out of the news cycle’s context window quickly so they can come up with something else.

Bonus links

Trump administration reverses decision to scrap ocean monitoring system by Maya Yang. (You can’t do high-end sonar without temperature and salinity data. Just wait for however long it takes these things to get leaked or declassified—it will turn out that the US Navy was the key member of the range of stakeholders for this project.)

Meta’s CTO says morale is almost ‘the worst it’s ever been’ by Charles Rollet. (Fan theory: the low morale is part of the plan, because the real ML training project is a “leaker prediction AI” that will be the differentiating feature of Meta’s upcoming b2b cloud service. More: ‘It’s literally the gulag’: inside the revolt at Meta’s AI unit, where elite engineers were drafted to label data by Alina Maria Stan)

Quote Origin: Punks Are Basically Nice People Pretending To Be Mean, Whereas Hippies Are Mean People Pretending To Be Nice on Quote Investigator

Ads Evading Pi-hole with iOS 27 by Adrian Sutton. (When the Pi-hole blackholes an ad domain the request fails, iOS decides the Wi-Fi must be flaky, and helpfully retries the same request over mobile data — where there’s no Pi-hole in the path. So the ad not only loads, it burns through my data allowance to do it.)

The Retweeting Class by Robin Berjon. (Read the whole thing. Now I have to think, am I collecting and sharing opinions in order to look respectable, or in order to change the situation?)

Open Source vs the Invisible Hand by Andrew Nesbitt. If you handed an economics undergraduate a description of how open source libraries are produced, without saying what it was, and asked them to predict the outcome, they would tell you it doesn’t add up. Non-excludable goods with no price, no contracts, no liability, a median producer headcount of one, and near-total free riding by consumers: there is no model in the textbook under which that arrangement produces anything stable. (What if the answer is something like: Bad IT creates slackful developers. Slackful developers create good IT. Good IT creates micromanaged developers. Micromanaged developers create bad IT?)

‘Agrivoltaics’ can both power AI data centres and increase food production — new study by Joshua M. Pearce. (It’s a good time to be a solar panel sales rep, just saying.)

Hugh Jackman plays Robin Hood as wicked – it’s a badly timed take on the hero of the poor by William Hoff. (Ayn Rand was famously against Robin Hood, and a lot of high finance types are Ayn Rand fans. Maybe this is the start of a trend, and a movie that depicts J. H. Blair as a big hero is already funded.)

Readers and former readers of science journals and magazines will be able to complete the famous line.

“…reduces an entire mouse to a soup-like homogenate in 30 seconds.”

It’s like the “They laughed when I sat down at the piano” of laboratory advertising. There should be an awards show and a coffee table book about this ad.

The Polytron ad keeps getting shared. On Reddit, you can spot it on r/vintageads, r/WTF, and elsewhere. It popped up on science Twitter when that was a thing. The Polytron has entered popular (laboratory) culture in a big way. It’s Kevin Simler’s “cultural imprinting” effect in action, within a subculture. And it’s effective. Try finding a lab that processes samples and doesn’t have a Polytron, and look how many scientific papers include Polytron in their materials and methods.

But I have never seen a Polytron used on an entire mouse. Even mouse researchers generally instead [icky mouse processing redacted, you’re welcome]. The ad is terribly non-personalized. The cultural imprinting effect of an long-running campaign, and the attention-getting effect in the reader’s imagination, outweigh the effect that could have been achieved by dropping in an “AI” headline that personalizes a sample type and homogenization time for each reader based on their own research interests.

Cultural imprinting isn’t just a mass media thing, like the often-repeated beer jingles that George Tannenbaum (and many others) remember from baseball games on the radio. Cultural imprinting can work in a subculture or community of practice, if you meet the people where they are. And trying to do that with general-purpose surveillance advertising is less and less effective for more and more communities, where the most engaged people are getting the best privacy protections. Advertising to subcultures and communities of practice is hard, and it gets both harder and more interesting when the people being advertised to are making a point of blocking or even spoofing the conventional measurement tools. Higher-quality ad creative, coupled with high-reputation media buys or sponsorships, are going to be increasingly important for reaching low-surveillablity niche customer communities.

What reminded me of this was The Paradox Of Personalization: Billions Of AI-Tailored Ads Creates A Measurement Mess by Erez Levin. We must reject the fantasy of infinite creative variations – not just because it is technically impossible but because it fundamentally misunderstands how advertising works for the vast majority of brands. (IMHO, brands are a cognitive hack that uses our existing monkey reputation brain wiring, that we’re already equipped with at the hardware level, to help us participate in markets, where are too new on an evolutionary time scale to have built-in support.)

Brands are built on a collective understanding of what a brand stands for. When you fragment that message into infinite, hyper-personalized silos, you destroy the macro-cultural signal that gives a brand its authority and prestige. It dilutes a shared asset into statistical noise.

Anyway, read the whole thing.

Where cultural imprinting adds risk

In the case of the Polytron, cultural imprinting is a win, because it’s a good idea to have a Polytron in the lab. It works on a large variety of materials, it’s easy to keep clean, it’s surprisingly quiet considering the specs, and if it turns out you don’t need it for now, it only takes a little bit of space and could be useful on a future project.

Cultural imprinting can go both ways, though.

Jessica Orwig, Leon Siciliano, and Lara O’Reilly cover Your candy ads are about to get a lot more personalized, Mars says. Rankin Carroll, chief brand officer of Mars Snacking, says the company behind your favorite candies like M&M’s, Snickers, Skittles, and Twix is reworking how it advertises to consumers — and the shift could mean people start seeing very different versions of the same candy campaign.

Regularly eating high-sugar foods in the middle of the day wasn’t always a thing, and people were probably better off. Cultural changes, driven by advertising, normalized the snacking habit. But now Mars is using “AI” to increase the personalization—which likely means that machine learning systems will “learn” to candymax the people at risk of eating disorders for a quick revenue hit, while pulling back on reinforcing the cultural acceptance. Mars may be opening up an opportunity for cultural imprinting of an alternate habit.icymi: Finally, The True Value Of A Facebook Fan by Bob Hoffman

Related

cheese or woodstain? “Does exactly what it says on the tin.”

personalization risks

The new Polytron has a “sleek design” but some vintage ones with separate motor and control box are still available on the used market.

Bonus links

Trump admin abandons fight against wind energy as clean energy output surges by Aman Azhar. This latest victory in a string of legal setbacks for the administration comes at a time when clean energy production continues to surge despite a slew of policy, permitting, and procedural hurdles imposed by the White House. (fwiw, the attribution cartel omitted any mention of the environmental impact of its extra data processing—green stuff is no longer in fashion with the AI-maxing companies—but they’re increasingly out of touch with regular people anyway. And maybe even their own employees?)

Has AI Already Killed How-To Nonfiction? Sales Trends, My Personal Data, and What It Might Mean for the Future by Tim Ferriss. ChatGPT, powered by the updated GPT-3.5 model, launched on November 30, 2022. There was a gentle -5% slip [in sales of Tim Ferriss books] in 2023, then -13% in 2024, and then the floor disappears: -46% in 2025, followed by an even steeper -57% pace this year. If the run-rate holds, my catalog will sell roughly 80% fewer print copies in 2026 than it did in 2022, with almost all of that happening since LLMs like Claude and ChatGPT exploded in use.

KPMG fabricated AI case studies in a report designed to sell clients on AI adoption by Matthias Bastian. (Consultants are going to have to change how they get paid. The apparent quality of the report or other consultant deliverable, as measured at invoice time, is more and more different from its real value. Some possibilities: On Prediction Market Sales Engineering)

Nobody needs AI to search the Internet, court says in ruling against Google by Ashley Belanger. Potentially impacting all AI search engines and chatbots known to poorly paraphrase source links, a German court has ruled that Google is liable for false statements in AI Overviews. (icymi: fix Google Search to remove the “AI” slop and other crap)

The rise of prediction markets is creating new ethical headaches for journalists by Kaleigh Rogers. (The big underlying problem, though, is prediction markets free-riding on “oracle” information from news sources in order to resolve big-money contracts. In order for prediction markets to stay sustainable and honest, oracle services need to be expensive. More: Pay the oracle.)

VICTORY: Meta Strips Facial Recognition Code From Smart Glasses App After Public Outcry by Cooper Quintin and Rindala Alajaji. (Don’t worry, these features will be back. Time to establish policies and norms for excluding surveillance glasses from any spaces you control or have influence over.)

Ukraine Is Not Losing. Russia Is Not Winning. by Anne Applebaum. The AI-powered drone interceptors are made possible by a complicated network of radar systems, acoustic sensors, and other tools that hundreds of large and small Ukrainian tech companies are creating and updating every day, using data they get directly from soldiers like the ones I met. Almost none of these companies existed four years ago. They have emerged from a tech-literate civil society whose members changed their professions or their focus to help defend their country.

Exclusive: Americans Now Overwhelmingly Oppose New Data Centers Near Them by Robinson Meyer. (But does this opposition translate into minimizing “AI” usage, or cutting back on “AI”-dependent products and services? I do notice that calling a feature “AI” makes people more likely to ask me how to turn it off.)

Advertising’s ‘most hated man’ is back with a new warning for CMOs by Lara O’Reilly. Mandel, who works as an advisor to marketing and tech companies, said his biggest bugbear about the industry now is principal media. The practice takes many forms, but at its essence, it’s when agencies purchase a large volume of media — spots where ads can run — at a discount, resell it to their clients, and make an undisclosed margin on top. (As a privacy nerd, I generally don’t have a beef with the actual advertisers—legit buyers and sellers have a shared interest in a win-win transaction. The problems are mostly with all the crooks in between those who are selling and those who are shopping.)

How Uber saved $35M a year on ads We did a holdout on Meta for 3 months. The results came back conclusively that there was no incrementality. With no ego, pride, budget manipulating, or any other crap I sometimes see, we made the decision to turn off spend on FB and return the money to the business.

It’s time to talk about my writerdeck on Veronica Explains. (Straightforward description of converting an old laptop to a text-only writing tool, with file sync to a more full featured system.)

This Blog Post is Your Sign to Start Self-Hosting You need datacenters to host GMail for everyone on earth, but you only need one small Linux box to run a very significant portion of your digital life.

Pirated Sports Streams Are Warping TV’s Most Important Ratings by James Hercher. To estimate the total missed audience that watched illegal streams of sporting events is practically impossible. Were the viewers hosting parties? Watching alone? Working at a bar or restaurant when they realized they didn’t have the right subscription and decided to pirate? With this in mind, the Super Bowl’s ratings were likely off by somewhere between one and two million total viewers, and that’s being conservative, Adalytics Founder and CEO Krzysztof Franaszek told AdExchanger.

Meat Industry Price Fixer Sentenced to Make Money by David Dayen. Most importantly, Agri Stats would still be able to issue its most critical reports, which ranked processors against their competitors on various metrics. These are the reports that tell processors when to cut supply or raise prices relative to others.

Hey, kids! Sparkline! That’s the estimated count of RSS subscribers to this blog. This is scaled and goes back to about the beginning of the year.

Not perfect—if a desktop RSS user switches clients or networks they get counted twice, but it does use the subscriber counts that services such as Feedbin and NewsBlur pass in the User-Agent header. And I think it fluctuates based on people trying different clients, scraper runs, and other trends. (When I get on “Hacker News” for something, there is always a bunch of weirdly configured bot traffic. A lot of it looks like requests for LLM-generated URLs that I might have used but never did.)

This is basically following the method in Easy SVG sparklines by Alex Plescan, except that in order to work as an img, the SVG file needs an XML namespace. See SVG Not Showing in Browser? Fix It in 30 Seconds on the SVG Genie blog.

Update: A StackOverflow answer from Francisco de Javier covers how to invert the image colors to support dark mode. I have the following in the CSS stylesheet:

@media (prefers-color-scheme: dark) {
    .sparkline {
        filter: invert(100%);
    }
}

This does not give me a perfect color match for the text color, but it’s close enough for now.

Bonus links

Section 230 Doesn’t Apply to Generative AI Enhancements to Ad Copy (But the Plaintiffs Lose Anyway) by Prof. Eric Goldman. One way of reading this decision is that Section 230 has limited applicability to Generative AI outputs. If the model outputs something new (as opposed to verbatim replicating material in its index or provided by the user), then the newly created material isn’t covered by Section 230.

The Cases That Don’t Exist by Robert X. Cringely. The entire defense of the American legal system against fabricated authority is a human being, by hand, looking up whether each cited case is real. Sometimes that human is opposing counsel. Sometimes it is a magistrate judge who, rather than deciding the motion in front of her, must stop and survey the caselaw on attorney misconduct to work out what to do about the five cases that don’t exist. Sometimes, God help us, it is a retired colonel representing himself. The work gets done by whoever happens to notice — which means, most of the time, it does not get done at all.

Andor and Authoritarianism by Daniel Solove. Andor has something to say. It transcends Star Wars and also returns it to its roots, as a story about resistance to authoritarianism. It is hands down the best creation in the Star Wars universe since The Empire Strikes Back. And, in many ways, it surpasses the originals in the depth of its writing and the seriousness and rigor in which it explores its themes. It is Star Wars without the silliness, and well worth a watch even if you don’t like anything made in the Star Wars universe since the original trilogy . . . and even if you’re not fond of those movies.

A Handful of Companies Control the Web. AICOA Can Change That. by Jenn Taylor Hodges and Elise Phillips at Mozilla. (And then the attribution cartel can put the web right back under big company control again.)

Pluralistic: The world has moved on (11 Jun 2026) by Cory Doctorow. To restore the beams and beat back entropy again, we need a better system, not more virtuous individuals. If you feel – as I do – that the world has moved on, then to wrench it back, you will have to join a polity.

Please I Beg of You Do Not Use “AI” In Your Business Communications by John Scalzi. At this point, my brain immediately and directly associates AI text in email with scam. That is its only purpose. The thing is: I’m not special. Every writer and creative person, from the most successful down to the very newest, is inundated with these scam spam emails. Lots of them, every single day. Pretty much every one of us, I assure you, now associates AI-generated text with attempted fraud.

Fully autonomous drones have killed human soldiers for the first time by Matthew Sparkes. The test took place two years ago and involved quadcopter drones that were programmed to fly towards the front line, cover between 3 and 5 kilometres over around 10 minutes and then engage Terminator mode, in which an AI model searches for and intercepts targets.

How States Can Use Consumer Protection Laws to Fight AI Fraud and Fakery by Stephanie T. Nguyen. (One of the qualities that makes this material suitable for scams is that it can be highly individualized, targeting specific individuals, groups or contexts based on data, profiles, or inferences the tool may have about the person. Related: Meta will use your activity on other websites to personalize your feeds by Emma Roth. Yes, they want to turn people into dinosaurs.)

The hilarious, extremely convincing proposal to make a beaver emoji. by April Glaser. Come October, the beaver emoji will be among this year’s class of new emojis, though it may take a whole year after that for the bucktoothed rodent to hit your phone. The proposal to include the beaver emoji comes thanks to a cadre of Canadians, lesbians, semi-aquatic mammal enthusiasts, and emoji specialists who wrote an extremely convincing and rather hilarious proposal, which in March was submitted to the Unicode Consortium, the nonprofit responsible for standardizing text and emoji across devices. (Good news for capybaras, IMHO. Denied in 2017, 2020, and 2025, will be eligible to re-submit in 2029.)

Google’s AI opt-out leaves publishers with a choice they can’t safely use by Jessica Davies and Sara Guaglione. The practical questions now are who, if anyone, will flip the toggle and what level of traffic loss makes that untenable. Many believe the combination of opt‑out, lack of data and competitive pressure means very few publishers will actually pull their content. (Realistically, if a publisher blocks their content from direct use by AI Overviews that just means more incentive for vibe CMS providers to paraphrase it. The vibe CMS sites themselves aren’t breaking any law, but solve the same cheap content problem for Google that infringing sites do.)

You Don’t Love systemd Timers Enough (IMHO has someone who has both had to administer network services and written web applications, the main good part about systemd is not so much the sysadmin side, but the way that it lets you delegate the service management stuff from the application side. You don’t have to develop and maintain the “daemonizing” and scheduling and other features that ever service needs.)

Just Fucking Use Go You know what compiles in two seconds, deploys as a single binary, and doesn’t shit itself when a transitive dependency gets yanked from npm at 3am? Go. The same way HTML has been sitting there since the dawn of the goddamn internet waiting for you to stop overcomplicating the frontend, Go has been sitting there for over a decade waiting for you to stop overcomplicating the backend.

Niamh McIntyre, for The Guardian:

These [Facebook] accounts – and there are hundreds, possibly thousands of them – present themselves as the work of British patriots. In one typical, AI-generated video, a middle-aged man claims his local cafe “has stopped serving pork, bacon and sausages just to avoid offending people”. Another post from the same account includes a sepia-tinted set of images of Victorian London, mourning a time when the city “was English, first-world and beautiful”. Alongside this type of reactionary nostalgia, it’s not unusual to see memes that call Islam a “cancer”, decry Muslims praying in public as an “invasion of the west” or promote the “great replacement theory” (which claims that white populations are being deliberately replaced by non-white immigrants).

For the past seven months, I have been investigating who is really behind pages like these. The answer, it turns out, is often young, entrepreneurial men from south Asia. They tend to have zero interest in UK politics, but the content they create often boosts far-right talking points in Britain and contributes to the increasingly hostile atmosphere for immigrants and British Muslims.

Read the whole thing: Who’s behind the Facebook page posting hateful AI slop about the UK? The answer might lie in south Asia.

The most important part about these “social media content creators,” from the point of view of Meta and the other Big Tech companies, is their material is cheap. Generative AI, low wages, zero research or news-gathering expenses—there is no way that a legit news site can compete in raw seconds of attention per currency unit. And they don’t just work in politics. There’s probably even more of this kind of slop about health-related topics.

Big Tech wins when they can move more ad money to support cheap slop and misinformation instead of more expensive content.

The problem for advertisers, of course, is the halo effect. Advertising just works better in a more trustworthy context. Content is not a commodity. Check that link for sources—I just added another one since I put that post up. Social science research and marketing research are notoriously hard to replicate, but the halo effect, along with a reverse halo effect for toxic content is one of those results that keeps replicating, no matter how inconvenient it is for the Big Tech companies that oligopolize the advertising market. Slop is just not a drop-in replacement for legit content as an advertising context.

Even though ad-supported content is not a commodity, the Big Tech companies of today are used to running a strategy that Joel Spolsky summed up as Commoditize your complements back in 2002, and that Bill Gurley wrote more about recently. For example, replace an expensive input like Sun servers with racks of generic PC servers, and replace expensive licensed software with open source. The biggest open source successes aren’t the acquisitions of Red Hat and other pure open source companies. The biggest impact has been internal. Google, and later Meta, answered the question “build or buy?” with neither, and chose to peer produce instead.

That peer production decision was, in many cases, a benign one. Big Tech “kernel teams” work on the Linux project, which regularly cranks out not a datacenter release and a mobile device OS release, but a general-purpose kernel release that even a low-budget developer can customize for almost anything you would need an OS for. The companies also support peer production of video codecs through the Alliance for Open Media. YouTube doesn’t have to pay for patent licenses—and as a side effect, neither does an independent filmmaker or the builder of a home media PC. Commoditizing the complement, when it works, causes a lot of the good stuff on the Internet. Imagine how dismal it would be to deploy even a basic database-backed CRUD application if open source databases such as if PostgreSQL hadn’t been supported by earlier developers. And the process continues in more adjacent IT markets. Today, RISC-V is a solid replacement for ARM for many uses.

The place where commoditization breaks down, though, is where there’s no commodity. Facebook Slop Guy is not a drop-in replacement for a legit site, even if you ignore the positive externalities of the latter. (For more on various theories on how advertising really works, or not, see The Anatomy of Humbug.)

The only way to fit Facebook slop (and crappy app store and search ads) into the same market niche as legit sites is, well,

Control the coinage and the courts—let the rabble have the rest. — The Padishah Emperor, in Dune by Frank Herbert

If the attribution cartel can control the standards for how advertising results are measured (and do the math in an obfuscated way, hidden from third-party checking) then all of a sudden Facebook Slop Guy isn’t just a commodity replacement for a legit site, he’s a better choice, with ROAS going up and to the right. That’s what I was on about in What Happens When The Attribution Cartel Meets Advertising’s Halo Effect?.

Commoditizing the complement is great when the commodity product is a viable replacement for the scarce, costly original. But the attribution cartel is trying to use the wrong tool for the job. There is some hope here, because commodification strategies don’t always work.

• Lindows, later Linspire, was a high-profile project to do a desktop operating system compatible with Microsoft Windows.

• Open Source Applications Foundation intended to produce an open-source, interoperable personal information management suite (like a replacement for Microsoft Outlook+Exchange)

Both of those went up against Microsoft, and there’s no Microsoft this time. Just a lot of companies of all sizes that are either in the ad-supported publishing business, or the advertising agency business. But the failures didn’t just fail just because of who the adversary was. A big part of their story arc was getting too much attention, too soon. Neither one was ready. The time for a commoditize the complement project to become a story is when it’s capable of successful niche projects, like Linux print servers. If it gets too much ink too early, it can flame out. Fortunately, the attribution cartel is not ready. By W3C’s own standards, they have a bunch of outstanding issues.

Is the “Attribution” proposal at W3C really part of a fundamentally wrong direction for the web, or is there a pony under here somewhere, and the proposal is just incomplete?

Instead of rushing to make a decision, W3C members should heed some wise advice: Don’t click. Count! Let’s count to 9 together.

1. Paradoxical increase in user privacy risks. See Methodological concerns regarding Attribution Level 1 and causal measurement. Although the system has some privacy properties when considered in isolation, in the context of the real web it increases incentives for “more first-party identity harvesting” and other problematic practices. So it creates more, not less, privacy risk for end users. Making an ad that actually sells a product or service is much harder than using surveillance data to identify someone about to buy and getting an ad in front of them. ML systems “learning” to optimize the attribution reports will tend to do better with more surveillance data to pursue the second option.

2. Structural bias toward channels positioned closest to observable conversion activity, including search, retail media, retargeting and click-oriented social advertising. The W3C Is Making A Mistake About Measuring Advertising Effectiveness. This proposal would tend to drive ad money toward “lower funnel” Big Tech placements such as search, social, and app store ads—depriving users of some positive externalities of legit ad-supported content and exposing them to more negative externalities from social media.

3. Incentives to suppress the “halo effect” of running ads on trusted sites. All of the attribution cartel companies are under pressure to shift ad spend from the “open web” to their own contexts. We might be able to trust the current developers working on the project to stay honest, but we have to consider who might be running this thing a couple rounds of layoffs from now. (The “pivot to video” saga shows what happens when marketing data meets pressure to produce the “right” results for some hot new strategy.)

4. Problematic USA centralization. In a world where tech sovereignty is trending, and A Handful of Companies Control the Web this proposal would hand control of a new information chokepoint to a few large companies here in the USA. A politician here could impose content-based punishments on sites worldwide, by requiring compliant Big Tech platforms to deny or filter the attribution reporting available to their advertisers, even advertisers outside the USA.

5. Sustainability. This proposal lacks a sustainability section. Even an estimate would provide some help to advertisers and agencies that want to report on emissions or general environmental impact.

6. Missing GPP support. Instead of handling the industry-standard Global Privacy Protocol, this proposal creates an extra, error-prone, compliance coding problem for every GPP-using site. This violates W3C’s Web Platform Design Principles: User needs come before the needs of web page authors, which come before the needs of user agent implementors, which come before the needs of specification writers, which come before theoretical purity. (Considered as a work of theoretical purity, this proposal might be just fine, but in practice it would offload the GPP detail work onto web sites, and extra risks onto users, when GPP support could have been handled by spec writers and user agent implementors.) (Issue #450)

7. A step backward on support for extensions. A similar system propsed as part of Google Chrome’s “Privacy Sandbox” implemented a chrome.privacy API, which helped users by letting extensions turn the ad features off. But this proposal omits the extension API, and makes extensions inject a script. (Issue #449)

8. No simulated data. Some of the companies behind this proposal already have conventional tracking data that they could have used to show how the attribution reports would have come out if the system had been in effect. If they had evidence to contradict items 1-3 they could have shown it already.

9. Public policy and lobbying considerations. Although the attribution reports are of limited use for professional marketers because of issues 1-3 above, the reports will be very useful for Big Tech companies making claims about how small businesses depend on them. Everyone who works on any privacy or competition issues is going to have to deal with papers based on this data popping up in any argument about restricting Big Tech in any way.

That’s about it. Anyway, please think before you click.

Bonus links

Digital Sovereignty Becomes An Imperative As the US Reads Dutch Emails by Kevin Korte. According to reporting from the Netherlands, Microsoft allegedly shared the names and internal communications of Dutch officials working on EU platform regulation with the U.S. House of Representatives, including email addresses, meeting minutes, and invitations. Those officials were tied to agencies that enforce the Digital Services Act, making the context especially sensitive because the data belonged to regulators shaping Europe’s platform rules.

Valve kills its retail gift card program due to scammers by Kyle Orland. (Gift cards are a security issue for the recipient, too. 20 Years of Digital Life, Gone in an Instant, thanks to Apple — Dr Paris Buttfield-Addison)

Landmark German ruling declares Google’s AI Overviews are Google’s own words and makes it liable for false answers by Matthias Bastian. Google adds that AI overviews can occasionally miss context or misinterpret web content, just like traditional search results. But that’s exactly where the Munich ruling disagrees. The court draws a line between AI overviews, which generate new content loosely based on sources, and traditional search results, which list sources with direct quotes. That distinction is what makes Google directly liable, according to the court.

One of the problems with the attribution cartel at W3C is, as Rick Bruner explains in The W3C Is Making A Mistake About Measuring Advertising Effectiveness, a “structural bias toward channels positioned closest to observable conversion activity, including search, retail media, retargeting and click-oriented social advertising.”

The attribution cartel companies haven’t released any data to back up a claim to the contrary. They claim benefits to legitimate sites, but so far, it’s all hypothetical.

The weird part is that several of the attribution cartel companies already have extensive tracking data. So where is the study showing how the attribution reporting would have come out, if the users in the history dataset had had attribution tracking turned on?

Absence of evidence is not always evidence of absence, but absence of a report that (1) could have been produced based on existing data and that (2) could make a strong case for the data holder’s position is at least sus.

A good example of the simulation approach is Inferring Users’ Demographics and Sensitive Interests Using the Topics API by Athicha Srivirote, Muhammad Abu Bakar Aziz, Jeffrey Gleason, Desheng Hu, and Christo Wilson. That study did not use the in-browser Topics API. Instead, the researchers calculated what the Topics API data would have shown based on a conventional browsing history data set—and got the results that many expected (but that Google somehow chose not to check at the time).

Personally, I would bet that the structural bias shows up in an unavoidably clear way, just because if it wasn’t there we would have heard by now. They have the data to get it through based on data—so why aren’t they using it? Why are they relying on the same kind of rush tactics that Craig Newmark and the Count warned us about? W3C doesn’t have to YOLO the Attribution proposal. An accurate simulated attribution report would help to “think before you click” and make an informed decision.

Bonus links

Meta workers can opt out of being tracked at work up to 30 min by Laura Cress and Osmond Chia.

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts by Brian Krebs.

If search and social advertising are so good for small business, why are we buying more and more of our stuff from fewer and fewer companies? If the Big Tech lobbyists were even half right about the benefits of their ad services to small firms, we should have had a small business boom in the mid to late 2010s, after most adults had smartphones but before CCPA and Apple ATT. Instead, small businesses are getting squeezed, as their own ad budgets work against them. In Consumer Data Privacy Act helps MA small business, consumers, Theodora Skeadas writes,

Such success stories are increasingly hard to find these days. One insidious, and perhaps unexpected, reason: the rise of online surveillance, enabled by the unrestricted mining and exploitation of consumer personal data.

Many technology companies track users’ every move through the digital world, amass detailed dossiers about consumer habits, hobbies and preferences, and repeatedly sell that data to the highest bidders. That means consumers are constantly served online ads based on information that was never intended to be shared with anyone.

These ads prompt many shoppers to turn away from local vendors, and buy instead from big corporations that utilize their leverage and wider supply chains to undercut local businesses on price.

And the beneficiaries of cross-context tracking aren’t just big retailers competing on scale or “partnerships.” Much of the benefit of cross-context tracking flows to obvious fraudulent advertisers.

The Big Tech companies don’t exactly “sell…data to the highest bidders.” What happens inside a big platform when a small business runs an ad is an auction: the legitimate ad must bid for impressions against other ads—and the Big Tech companies add extra bidders to drive up the price. And the price has to keep going up. Companies that already dominate a market that’s growing at single-digit rates have to keep taking a bigger piece of the action from every sale in order to sustain their own startup-like, double-digit growth rates. The result is an online scam crisis that benefits only Big Tech and the scammers.

It’s time to rethink state privacy laws in the context of scam culture. State laws can be win-win when they focus not on the “compliance” paperwork that Big Tech has already learned how to offload, but on reducing the real-world privacy harms that result in losses to scams and value extraction by Big Tech. (For example, state laws that focus on “data brokers” are effective against the “Lumascape” of legacy adtech firms, but not against the Big Tech platforms where data checks in but doesn’t check out.)

Most of the large-scale privacy harms to users are side effects of various schemes that Big Tech is running against either the creators of ad-supported resources or the buyers of advertising. Some of those schemes are run openly, like the bogus attribution reports thing, and some are behind the corporate firewalland hard to analyze. A kind of cheat code for privacy protection would be state laws that protect advertisers. Everyone else would win as an unavoidable side effect—customers are on the same side as legitimate businesses, because every win-win deal has two sides. It’s basic accounting: a positive outcome for a consumer means that some honest company made a sale, and a negative outcome means some money that won’t get spent or invested.

More: Suspicion and slop in the rugpull economy

Bonus links

Distributed terrorism as ARG by Adrian Hon. Anyway, maybe I’m crazy but maybe we should provide exciting real world activities for teens to do that don’t further the FSB’s agenda?!

The Casino of Attention — AdTech did not “improve the internet.” by Sylwester Mielniczuk. Instead of rewarding quality, programmatic advertising rewarded volume, arbitrage, cheap traffic, SEO spam, outrage, and “made-for-advertising” pages. Even industry reports admit ad fraud, MFA sites, and campaign measurement remain major concerns.

Apple added a second ad to App Store search results. My downloads stayed flat, my costs doubled by Chris Lindsay. Search ads used to feel additive, like a way to accelerate growth. Increasingly, they feel mandatory: a way to pay for visibility you previously earned organically. Thanks to Nick Heer for the link.

The Invisible Cost of “Dirty Data by Jay Mandel. The data economy has morphed from tailoring experiences to active manipulation, creating severe economic disadvantages based on who algorithms think you are.